Privacy Policy — CareSwaps

1. Overview and Scope

CareSwaps, LLC ("CareSwaps," "we," "us," or "our") is a healthcare technology platform providing algorithmic transfer matching software services. This Privacy Policy describes how we collect, use, store, share, and protect information submitted through the CareSwaps website, subscription platform, and associated services.

CareSwaps operates as a HIPAA Business Associate — not a Covered Entity. When our services involve Protected Health Information (PHI), we are bound by a Business Associate Agreement (BAA) with each participating facility and comply with 45 CFR Parts 160–164.

For detailed information about PHI, your rights under HIPAA, and our role as a Business Associate, please see our HIPAA Notice of Privacy Practices. This Privacy Policy governs general website, account, billing, and marketing data. The HIPAA Notice governs PHI specifically.

2. Information We Collect

2.1 Information You Provide

Account data: Name, email address, phone number, state of residence, relationship to the patient, and login credentials.
Subscription & billing data: Billing name, billing address, and payment method (credit card processing is handled by Stripe — CareSwaps does not store full card numbers).
Intake form responses (PHI): Resident identifying information, date of birth, current living situation, POA/MDPOA status, primary care needs, preferred timeline, and related details provided through our HIPAA-compliant Jotform intake.
Communications: Emails, support tickets, form submissions, and phone conversations with our team.

2.2 Information Collected Automatically

Technical data: IP address (truncated for analytics), browser type, device type, operating system, referring URL, pages viewed, and timestamps.
Cookies: Analytics cookies (Google Analytics 4, consent-gated), essential session cookies, and your cookie-preference cookie (cs_cookie_consent).

2.3 Information from Third Parties

When a participating facility shares availability or operational data with the platform, or when we receive data from service providers in the course of delivering our services (for example, payment-status updates from Stripe), we integrate that information under the terms of the applicable BAA, DPA, or service agreement.

3. How We Use Information

To operate and deliver the CareSwaps Platform Access Subscription.
To run the algorithmic transfer matching service using operational factors only (bed availability, payer acceptance, geographic proximity, timing).
To process subscription billing and manage subscription lifecycle events (renewal, cancellation, refund).
To communicate about your account, service updates, security notifications, and legally-required disclosures.
To provide customer support and respond to inquiries.
To maintain audit logs required by HIPAA, the Anti-Kickback Statute, and Colorado law.
To secure the platform, detect fraud, and prevent abuse.
To send subscription-related administrative emails (receipts, renewal reminders, breach notifications if legally required).

We do not sell personal data. We do not use PHI for advertising or marketing. We do not use PHI to target content.

4. How We Share Information

4.1 With Participating Facilities

Once a family opts into outreach, CareSwaps may share de-identified operational signals and geographic demand information with non-member facilities to notify them of interest. PHI is not shared with any facility that has not signed a BAA. After both facilities join the network (sign TSA + BAA), the algorithm reveals the match under the applicable BAA terms.

4.2 With Service Providers

Provider	Role	Agreement	PHI Access
Google Workspace	Email, Sheets (Master PHI DB), Drive, Apps Script	BAA (signed March 11, 2026)	Yes
Jotform (HIPAA Gold)	Intake form collection	BAA	Yes
Paubox	Encrypted outbound email for PHI	BAA	Yes
Stripe	Payment processing	DPA (payment processor exemption)	No
Cloudflare	DNS, CDN, edge hosting	DPA	No
Airtable	Operational database (de-identified IDs only)	Standard DPA	No
Make.com	Workflow automation (de-identified IDs only)	Standard DPA	No

4.3 For Legal and Safety Reasons

We may disclose information when required by law, to comply with a valid subpoena or court order, to protect the rights, safety, or property of CareSwaps or others, or to investigate fraud or security incidents. For PHI, all such disclosures are made in accordance with 45 CFR § 164.512.

4.4 In Connection with a Business Transaction

If CareSwaps is acquired, merges with another entity, or undergoes a significant corporate transaction, customer information may transfer to the successor entity, subject to this Privacy Policy and all applicable BAAs.

We do not sell personal data or PHI.

5. Data Security and Retention

We maintain administrative, physical, and technical safeguards designed to protect personal information and PHI, including role-based access controls, encryption in transit (TLS 1.2+) and at rest, multi-factor authentication for administrative accounts, audit logging, and periodic risk assessments.

Retention periods vary by data type. HIPAA-related records are retained for a minimum of six (6) years. Tax and financial records are retained for seven (7) years. Anti-Kickback Statute documentation is retained indefinitely. For the complete schedule, see our Data Retention Schedule.

6. Cookies and Analytics

CareSwaps uses a minimal cookie set. Our cookie banner gives you the choice to accept or decline analytics cookies. If you decline, we will not load Google Analytics. Essential session cookies required for the site to function are not controlled by the banner.

Our analytics configuration uses IP anonymization. We do not use cross-site tracking cookies, advertising cookies, or third-party marketing pixels.

7. Your Rights

7.1 Colorado Privacy Act (CPA) Rights

Colorado residents have the right to:

Access the personal data we hold about you
Correct inaccurate personal data
Delete personal data (subject to HIPAA and legal retention obligations)
Obtain a portable copy of your personal data
Opt out of targeted advertising, sale of personal data, and profiling (CareSwaps does not engage in any of these activities)
Appeal a denial of a rights request

To exercise any of these rights, email privacy@careswaps.com. We will respond within forty-five (45) days.

7.2 HIPAA Rights

If your request relates to PHI, please see our HIPAA Notice of Privacy Practices, which describes your rights to access, amendment, accounting of disclosures, and restrictions on use.

7.3 Right to Appeal

If we deny your request, you may appeal by replying to our denial email. If we deny your appeal, you may file a complaint with the Colorado Attorney General at coag.gov or, for PHI matters, with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.

8. Children's Privacy

CareSwaps is a service for adult family members arranging senior-care transfers. Our services are not directed to children under 13, and we do not knowingly collect personal data from children. If you believe a child has submitted information to us, please contact privacy@careswaps.com and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version with a new effective date and, where required by law, provide notice by email to active subscribers. Continued use of CareSwaps after the effective date constitutes acceptance of the updated policy.

10. Governing Law

This Privacy Policy is governed by the laws of the State of Colorado, without regard to its conflict-of-laws principles. For disputes, see our Terms of Service.

11. Contact

For privacy questions, rights requests, or to report a concern, contact us:

Privacy Officer: Michael Ford
Email: privacy@careswaps.com
Phone: (970) 306-7131
Mail: CareSwaps, LLC, 2519 S. Shields St., Suite 1K PMB 1159, Fort Collins, CO 80526

Regulatory complaints: HHS Office for Civil Rights — hhs.gov/ocr (PHI) · Colorado Attorney General — coag.gov (CPA).